Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #39881

Re: PyQT app accessible over network?

From Frank Millman <frank@chagford.com>
Subject Re: PyQT app accessible over network?
Date 2013-02-25 10:02 +0200
References (5 earlier) <mailman.2312.1361576247.2939.python-list@python.org> <20130224153134.4cab73a958ac7d1af476ae3d@gmx.net> <CAPTjJmrw7DvmdL3K8GqqYG1aexDWavo_LHZXcVG=hF_zJa2mWw@mail.gmail.com> <kgevgi$n8g$1@ger.gmane.org> <CAPTjJmr-XN0yuqyraYYs1X19k=Yo5JvVq1sGPWgqMFJntZg+sA@mail.gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.2494.1361779343.2939.python-list@python.org> (permalink)

Show all headers | View raw

On 25/02/2013 08:35, Chris Angelico wrote:
> On Mon, Feb 25, 2013 at 5:14 PM, Frank Millman <frank@chagford.com> wrote:
>> On 24/02/2013 16:58, Chris Angelico wrote:
>>> MySQL has a philosophical structure of "user logs in to app,
>>> but app logs in to database as superuser regardless of user login".
>>
>> Out of curiosity, is there anything wrong with that approach?
>>
>> The project I am developing is a business/accounting application, which
>> supports multiple database systems - at this stage, PostgreSQL, MS SQL
>> Server, and sqlite3.
>>
>> I use exactly the philosophy you describe above. If I relied on the RDBMS's
>> internal security model, I would have to understand and apply each one
>> separately.
>
> Fundamentally no; it's a viable approach, as evidenced by the success
> of MySQL and the myriad applications that use it in this way. It's a
> matter of damage control and flexibility. Suppose your web server were
> to be compromised - there are so many exploits these days that can
> result in files on the server being unexpectedly read and transmitted
> to the attacker. Your database superuser password (or, let's hope,
> "just" database admin) is compromised, and with it the entire
> database. This also forces you to treat the web application (usually
> PHP scripts) as back-end.
>

[snip much valuable food for thought]

>
> I'm sure others can weigh in with a lot more detail.
>

Thanks for the input, Chris - much appreciated.

I don't have a lot of experience in this area, but it is a very 
important topic and I have applied my mind to the issues as best I can, 
so I would appreciate a critique of my current approach.

The main app is written in python. It is designed to run on a server. It 
could be on the same server as the database or not - the person setting 
up the system supplies the connection parameters.

The app runs a web server (cherrypy) which anyone can connect to via a 
browser, with a valid userid and password. User credentials are stored 
in the database, and the system has its own mapping of which users (or 
rather roles) have access to which tables. The front end is written in 
Javascript.

So to refer to your two concerns of damage control and flexibility, the 
second one does not really apply in my case - I would never want the 
main app to run on a desktop.

Regarding security, obviously it is a concern. However, the various user 
ids and passwords have to be stored *somewhere*, and if it is 
compromised I would have thought that they would be equally vulnerable.

There is one idea I think is worth looking into, when I have time. I 
subscribe to the 'getmail' mailing list, and for a long time the 
maintainer has resisted pressure to encrypt the mailbox password in the 
configuration file, on the grounds that if the password is vulnerable, 
the encryption method is equally vulnerable, so it would give a false 
sense of security. However, he has recently been persuaded of the merits 
of using something called a 'keyring'. I don't know much about it, but 
it is on my list of things to look at some time.

All comments welcome.

Frank

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

PyQT app accessible over network? Monte Milanuk <memilanuk@gmail.com> - 2013-02-21 08:22 -0800
  Re: PyQT app accessible over network? Wolfgang Keller <feliphil@gmx.net> - 2013-02-22 16:45 +0100
    Re: PyQT app accessible over network? Monte Milanuk <memilanuk@gmail.com> - 2013-02-22 08:50 -0800
      Re: PyQT app accessible over network? Wolfgang Keller <feliphil@gmx.net> - 2013-02-24 15:30 +0100
    Re: PyQT app accessible over network? Alec Taylor <alec.taylor6@gmail.com> - 2013-02-23 03:57 +1100
    Re: PyQT app accessible over network? Monte Milanuk <memilanuk@gmail.com> - 2013-02-22 13:49 -0800
    Re: PyQT app accessible over network? Michael Torrie <torriem@gmail.com> - 2013-02-22 16:37 -0700
      Re: PyQT app accessible over network? Wolfgang Keller <feliphil@gmx.net> - 2013-02-24 15:31 +0100
        Re: PyQT app accessible over network? Chris Angelico <rosuav@gmail.com> - 2013-02-25 01:58 +1100
        Re: PyQT app accessible over network? Frank Millman <frank@chagford.com> - 2013-02-25 08:14 +0200
        Re: PyQT app accessible over network? Chris Angelico <rosuav@gmail.com> - 2013-02-25 17:35 +1100
        Re: PyQT app accessible over network? Frank Millman <frank@chagford.com> - 2013-02-25 10:02 +0200
        Re: PyQT app accessible over network? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-02-25 18:26 -0500
        Re: PyQT app accessible over network? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-02-25 18:32 -0500
        Re: PyQT app accessible over network? Chris Angelico <rosuav@gmail.com> - 2013-02-26 17:26 +1100
    Re: PyQT app accessible over network? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-02-22 19:20 -0500
    Re: PyQT app accessible over network? Chris Angelico <rosuav@gmail.com> - 2013-02-23 11:32 +1100
    Re: PyQT app accessible over network? Alec Taylor <alec.taylor6@gmail.com> - 2013-02-24 20:00 +1100

csiph-web